Adding ability to maintain existing Encryption Secrets at Rest. (#4255)
* Adding ability to maintain existing Encryption Secrets at Rest. If secrets_encryption.yaml is present it will not be overriten with a new kube_encrypt_token. This should allow for it to be set ahead of a playbook running or maintain it if cluster.yml is ran on the same cluster and the ansible host does not have access to the secrets. * Setting existing kube_encrypt_token across all master nodes in case it was missing in one or more nodes.
This commit is contained in:
parent
802ac377b8
commit
07b2894080
2 changed files with 31 additions and 0 deletions
|
@ -163,3 +163,5 @@ kube_override_hostname: >-
|
|||
{%- else -%}
|
||||
{{ inventory_hostname }}
|
||||
{%- endif -%}
|
||||
|
||||
secrets_encryption_query: "resources[*].providers[0].{{kube_encryption_algorithm}}.keys[0].secret"
|
||||
|
|
|
@ -1,4 +1,33 @@
|
|||
---
|
||||
- name: Check if secret for encrypting data at rest already exist
|
||||
stat:
|
||||
path: "{{ kube_cert_dir }}/secrets_encryption.yaml"
|
||||
register: secrets_encryption_file
|
||||
|
||||
- name: Slurp secrets_encryption file if it exists
|
||||
slurp:
|
||||
src: "{{ kube_cert_dir }}/secrets_encryption.yaml"
|
||||
register: secret_file_encoded
|
||||
when: secrets_encryption_file.stat.exists
|
||||
|
||||
- name: Base 64 Decode slurped secrets_encryption.yaml file
|
||||
set_fact:
|
||||
secret_file_decoded: "{{secret_file_encoded['content'] | b64decode | from_yaml}}"
|
||||
when: secrets_encryption_file.stat.exists
|
||||
|
||||
- name: Extract secret value from secrets_encryption.yaml
|
||||
set_fact:
|
||||
kube_encrypt_token_extracted: "{{ secret_file_decoded | json_query(secrets_encryption_query) | first | b64decode}}"
|
||||
when: secrets_encryption_file.stat.exists
|
||||
|
||||
- name: Set kube_encrypt_token across master nodes
|
||||
set_fact:
|
||||
kube_encrypt_token: "{{ kube_encrypt_token_extracted }}"
|
||||
delegate_to: "{{ item }}"
|
||||
delegate_facts: true
|
||||
with_inventory_hostnames: kube-master
|
||||
when: kube_encrypt_token_extracted is defined
|
||||
|
||||
- name: Write secrets for encrypting secret data at rest
|
||||
template:
|
||||
src: secrets_encryption.yaml.j2
|
||||
|
|
Loading…
Reference in a new issue